b'                       U.S. Environmental Protection Agency \t                                                   11-P-0597\n                                                                                                         September 9, 2011\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                               Catalyst for Improving the Environment\n\nWhy We Did This Review                   Results of Technical Vulnerability Assessment:\n                                         EPA\xe2\x80\x99s Directory Service System Authentication\nThe U.S. Environmental Protection\nAgency (EPA), Office of Inspector\n                                         and Authorization Servers\nGeneral, conducted this audit to\n                                          What We Found\nidentify vulnerabilities associated\nwith EPA\xe2\x80\x99s directory service\n                                         Vulnerability testing of EPA\xe2\x80\x99s directory service system authentication and\nsystem authentication and\n                                         authorization servers conducted in March 2011 identified authentication and\nauthorization servers, and provide\n                                         authorization servers with numerous high-risk and medium-risk\nthe results to the appropriate EPA\n                                         vulnerabilities. The Office of Inspector General met with EPA information\nofficials who can then promptly\n                                         security personnel to discuss the findings. If not resolved, these\nremediate and/or document planned\n                                         vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized access and\nactions to resolve the identified\n                                         potentially harm the Agency\xe2\x80\x99s network.\nvulnerabilities. This audit was\nconducted in support of the audit of\nEPA\xe2\x80\x99s implementation of its               What We Recommend\ndirectory service system.\n                                         We recommend that the Director, Enterprise Desktop Services Division,\nBackground                               Office of Environmental Information:\n\nA directory service provides a               \xe2\x80\xa2\t Provide the Office of Inspector General a status update for all\ncentralized location to store                     identified high-risk and medium-risk vulnerability findings\ninformation about the users,                      contained in this report.\ncomputers, and other equipment on            \xe2\x80\xa2\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated\na network, and provides integrated                Security Self-Evaluation and Remediation Tracking system for all\nservices that are used to manage                  vulnerabilities that cannot be corrected within 30 days of this report.\nnetwork users, services, and\ndevices. EPA uses a commercial-              \xe2\x80\xa2\t Perform a technical vulnerability assessment test of all Agency\noff-the-shelf product for its                     directory service system authentication and authorization servers\ndirectory service system. This                    within 60 days to confirm completion of remediation activities.\ndirectory service system is\nimplemented using multiple               The full report is not available to the public due to the sensitive nature of its\nservers, which EPA has placed in         technical findings.\nvarious locations on its network to\nprovide enterprise-wide\nauthentication and authorization.\n\nFor further information, \n\ncontact our Office of Congressional, \n\nPublic Affairs and Management at\n\n(202) 566-2391.\n\x0c'